[unisog] Security Event Correlation and Response
wyang at gcfn.net
Mon Mar 29 15:43:37 GMT 2004
Uhm... there are a few out there (my guess is that others will point
out the big commercial vendors; network intelligence, counterpane (which
runs as a service rather than a product), etc).
However... growing your own is a highly educational process, if you have
the time, manpower, and expertise to do so. Networking, security,
statistics, and visualization/interface design are the likely primary
skills that software developers need to have. Strong logic and analysis
skills, of course, too.
While I can't go into the logic of what to correlate due to intellectual
property concerns (it's not my right to give away the trade secrets of
others), I can give a couple of useful observations.
1. Recognize that hits against IDS signatures and firewall blocks, or
other security messages, come in varying levels of severity and degree.
Finding a way to "score" signatures by imporatance will be a
signficant educational process for you, and will teach you a great deal
about the risks you're managing and, if done properly, may also
illuminate the "business value" of your IT systems.
2. The time value you consider events over is significant. Events over
1 hour, 1 day, or 1 week dramatically differ from events over 5 minutes.
Determine your service level expectation with respect to the "real
time"-ness of your correlation and response processes.
3. The volume of data you process will likely be the controlling factor
in the level of effectiveness of your mining system. Determining
relevance of what to look at is a major technical and security
challenge. You need a broad enough set of sensors to capture scale ,
while staying narrowly targetted enough to maintain managability.
Hope this gives you a starting point.
Gary Flynn wrote:
> Do any of you have any home grown or commercial
> products you'd recommend?
wyang at gcfn.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20040329/b86c5dc8/smime-0003.bin
More information about the unisog