[logs] SIM solution - Objectives ?

Ron Gula rgula at tenablesecurity.com
Thu May 24 05:58:59 PDT 2007 

Hi Saudi,

The real question is what constitutes a high alert for your network.
This is the biggest differentiator I've seen in deployments of our
logging products or other log/event managers out there.

If a high alert is nothing more than calling you if a certain Snort
event occurs, that is pretty simplistic and I don't really see a need to
be called within 15 or 30 minutes since this should be automated.

However, if your "high" alert is something more serious like a
successful compromise, a PCI/compliance usage violation or just that the
main firewall went down, I could see putting these into specific SLA
obligations being quite difficult to nail down. It could take more CPU
computation to arrive at a conclusion that a high quality alert occurred
within a specific policy, but most SIM/log-analyzers can do this sort of
thing today.

Separating High and Medium events based on alert time seems really
artificial to me. If your MSP is using automation to get an alert, I
doubt the Medium alerts take longer to compute than the High alerts.

(I haven't posted much here but Tenable does offer log aggregation,
normalization and correlation tools for netflow, syslog, firewalls, .etc)

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com


saudi sans wrote:
> Hi,
> 
> We have just started using a leading SIM for monitoring logs. It works
> well.
> 
> The SIM management is outsourced.  We have about 150 servers and 10
> security devices.
> 
> We have SLAs that if a High alert comes vendor should inform us within
> 15 minutes , for medium alert it is 30 minutes .....etc.
> 
> Are corporates [who have some level of maturity in this space] using
> SIM solutions to do real time response or are we using it for weekly
> reports and then doing trend analysis ?
> 
> Does it make sense to receive High alerts and take a 15 minute
> response when a login failure happens on a few servers.?
> 
> This question is NOT related to the SIM product capabilities but
> process to be followed and what goals we should set to achieve with
> SIM
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list