AlienVault R&D Labs Portal. Get the latest news from our research.
Header

SIEM for ITIL-Mature Incident Response (Part 1)

November 28th, 2011 | Posted by cpconstantine in News | Tutorial - (Comments Off)

Incident Response is a field stuck in perpetual-firefighting mode, when it exists at all as a formalized unit. Yet as major breaches continue to happen, Incident Response proves to be possibly the most essential part of any Enterprise Security Program; in the words of Bruce Schneier:

“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.

And yet, this most vital of components is still carried out as an arcane discipline, rarely measured or documented in a fashion that allows any measurement of its true effectiveness or value within the business.  ITIL presents a framework for service maturity and capabilities within Information Technology, and has components for Incident Response, but this is for general Service Incidents, and only partially translate towards Intrusion Response. SIEM technologies present the capacity for extracting actionable information from system logs and data, but do little to directly enable effective workflow within the business unit.

In a series of documents on this subject, we will be laying out the groundwork for using SIEM and event correlation, to create a mature Security Incident Response program that can demonstrate and document repeatable, measurable processes, demonstrate ongoing value to the business beyond being merely a cost of doing business today, and provide business-relevant metrics that can fuel Business Intelligence analysis and demonstrate clearly resourcing requirements and gap analysis.

SIEM for ITIL Incident Response – Part 1

  (more…)

cpconstantine

More Posts - Website

, ,

New code piece: automatic plugin detection

October 16th, 2011 | Posted by DK in News - (Comments Off)

We just uploaded a snippet written earlier this year, it requires regexp.py and can automatically identify the log type a certain IP is sending via syslog.

DK

Mr Wolf Wannabe.

More Posts - Website

, , , ,

Can OSSIM be considered a SIEM? Is it enterprise ready?

June 20th, 2009 | Posted by DK in Personal DK - (Comments Off)

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.




A year later he said this goal hasn’t been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn’t have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I’d like to quote the most significant ones:

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:



  1. OSSIM is not a SIEM.
  2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise



Well. Guess I’ll have to prove them wrong ;-). And on top I’m not pissed off, so I guess I’m growing up :-)).

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don’t have our hands in it, the testimonial has to come from someone who’s got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I’d really like to hear from a large company which is supposedly using Splunk+OSSIM, can’t say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There’s contact information on their respective homepages. Otherwise I’ll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, “there’s no spoon”).

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

DK

Mr Wolf Wannabe.

More Posts - Website

, , ,

A review of a commercial SIM

December 5th, 2007 | Posted by DK in Personal DK - (Comments Off)

Some time ago, earlier this year, I had the opportunity to attend to a conference where one of the leading SIM vendors (according to gartner’s magic quadrant at least) talked about their product. Although my opinion will always be biased and I tend to compare all that I see on this area with OSSIM, I also believe that I’ve got a solid base to judge others.

Anyway, since I know myself and making a review comparing more than five years of work with a 5 hour demo and some document browsing isn’t fair, I won’t say the name of this product.

BREAK

First of all I must say I went out of the event quite impressed, and somewhat jelaous. The marketing part was impressive, well worked out and really transmitted the need of a SIM/SEM/SIEM to almost everybody. Seems like governments and some questionable laws also help this industry alot, making such an aggregated security system a must for many organizations. Anyway, this jealousy changed a bit afterwards.

I don’t want to extend this to the political arena though so just to the facts:

What I’ve learned



(And we’re putting into practice these days)

  • Having an Appliance based solution (even if it’s in parallel with software) is a must.
  • Having tons of easy to understand data brochures is very important too.
  • Compliance is an very important area to focus on.
  • Beautiful graphs are crucial.
  • And so is ease of use.

Well, basically we already knew all of that but got the confirmation. Appliances are available, documentation is growing, we’ve developed lots of commercial things for partners, pretty graphs are present in the last releases and through the installer we started to reach an “everybody can install it” status.

Pro’s and Con’s of this solution.



Pro’s:

  • Extensive help
  • Many predefined reports/alerts
  • Performance, at least on powerpoint, looked great
  • Many devices supported

Con’s:

  • Lack of customization options
  • Seemed somewhat “limited”. I mean, I had the feeling to have seen everything it did and could do after a couple of hours.
  • No contextual graphs / menus. Graphs are nice, but the ability to get from high level information to lower level and back, or aggregate by your criteria is even nicer. I was really surprised to see this was missing.
  • No talk about anomaly detectors, limited inventory options, sparse policy and asset management.
  • No extra software included.

Conclusion



If you’ve got everything in place, already have bought an IDS, an IPS, some other management systems, vulnerability scanners, NMS and such, then this sort of product is great for you.

If you have tons of money to spend and you quick?ly have to achieve a specific goal hint:compliance) then this seems also like an obvious decision.

But if you’re starting from scratch or adapting a few systems to a SIM/SEM environment I don’t seem many reasons to favor this system to OSSIM :-). Now the only thing left is to read the How-do-I-get-into-the-gartner-quadrant-in-order-to-focus-my-marketing-on-that-fact-HOWTO.

Remember, I’m biased…

DK

Mr Wolf Wannabe.

More Posts - Website

, , ,