[Dshield] SEIM Tool recomendation
Albert Gonzalez
albertg at cerveau.us
Sat Feb 2 07:41:02 GMT 2008
At my current job they had CS-MARS deployed and it was just a PITA (although the network map was sweet). From the analysis perspective you would still need to access the security (IDS) devices. I don't think my alert data transport mechnanism should be syslog. I have deployed several large ArcSight installations and have been truly pleased with its performance and ability to provide you the data you want.
Through CS-Mars I would have to retrieve packet information from the actual device. Another avenue to take to finish your analysis. The events/ps sucked as well.
I didn't need a huge deployment here and after several evals we chose NitroSecurity. Its really fast and has some great default views. I can get to what I need fast. I haven't dived into creating flows and what nor but you should give it a try. I did settle for syslog reporting but at least I can actually encrypt the transport.
I am aware you can use BY for the binary data handling but its upto mgmt to decide if they don't want support :)
Thanks,
-- Sent from my HTC6800
http://blog.cerveau.us
-----Original Message-----
From: DRice at TEP.Com
Sent: Friday, February 01, 2008 6:13 PM
To: list at lists.dshield.org
Subject: Re: [Dshield] SEIM Tool recomendation
I recently installed a High-Tower SEIM, I had it reporting events within
the hour I unpacked it. I too reviewed ArcSight and Cisco Mars. ArcSight
was way too big for our shop and the sales guy I was working with did
not even talk about his product, rather he spent the time trashing
others. To me the Cisco Mars and High-Tower are almost identical with
the High-Tower SEIM has more current support for products were as it
appears Cisco is dropping some support for products other than Cisco. If
you're an all Cisco shop then you may want to consider MARS, if you have
a variety of devices look at the High-Tower SEIM.
-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Scott
Sent: Friday, February 01, 2008 12:42 PM
To: General DShield Discussion List
Subject: Re: [Dshield] SEIM Tool recomendation
We went through a similar RFP at my last job. Unlike Paul my
experience with ArcSight hasn't been that great and by group consensus
they didn't make it into the final evaluation stage of our RFP. We
ended up reviewing Intellitactics and two others in the lab but went
with Intellitactics after all was said and done. Unfortunately I left
the company before they installed the SIEM so I can't speak to first
hand knowledge of using it but it was good in the lab tests we did.
We did use ArcSight exclusively at the job before last. The Oracle DB
was very touchy if any events came in out of the acceptable format and
it required us to have a full time Oracle DBA on staff to keep it
happy. Other than that it's like most any SIEM tool, a beast to get
initially configured but powerful once you get there.
Scott
On Jan 31, 2008 11:31 PM, Basiru Ndow <bndow at ndowtech.com> wrote:
> My company is doing an RFP for a SEIM tool. Any recommendation will be
> highly appreciated .. ARCSIGHT, RSA, Symantec...etc.
>
> Regards
>
> Bass
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
north if you can be in New Orleans. http://www.sans.org/info/15826
>
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
north if you can be in New Orleans. http://www.sans.org/info/15826
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans. http://www.sans.org/info/15826
More information about the list
mailing list