[unisog] Security Event Correlation and Response

William Yang wyang at gcfn.net
Mon Mar 29 15:43:37 GMT 2004


Uhm...  there are a few out there (my guess is that others will point 
out the big commercial vendors; network intelligence, counterpane (which 
runs as a service rather than a product), etc).

However... growing your own is a highly educational process, if you have 
the time, manpower, and expertise to do so.  Networking, security, 
statistics, and visualization/interface design are the likely primary 
skills that software developers need to have.  Strong logic and analysis 
skills, of course, too.

While I can't go into the logic of what to correlate due to intellectual 
property concerns (it's not my right to give away the trade secrets of 
others), I can give a couple of useful observations.

1.  Recognize that hits against IDS signatures and firewall blocks, or 
other security messages, come in varying levels of severity and degree. 
  Finding a way to "score" signatures by imporatance will be a 
signficant educational process for you, and will teach you a great deal 
about the risks you're managing and, if done properly, may also 
illuminate the "business value" of your IT systems.

2.  The time value you consider events over is significant.  Events over 
1 hour, 1 day, or 1 week dramatically differ from events over 5 minutes. 
  Determine your service level expectation with respect to the "real 
time"-ness of your correlation and response processes.

3.  The volume of data you process will likely be the controlling factor 
in the level of effectiveness of your mining system.  Determining 
relevance of what to look at is a major technical and security 
challenge.  You need a broad enough set of sensors to capture scale , 
while staying narrowly targetted enough to maintain managability.

Hope this gives you a starting point.

	-Bill


Gary Flynn wrote:

> Do any of you have any home grown or commercial
> products you'd recommend?
> 

-- 
William Yang
wyang at gcfn.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20040329/b86c5dc8/smime-0003.bin


More information about the unisog mailing list