Linux Position at my company
Mike Kallies
mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu May 26 16:03:05 UTC 2011
On Wed, May 25, 2011 at 11:39 AM, William Park <opengeometry-FFYn/CNdgSA at public.gmane.org> wrote:
>
...
> Can you expand on "event correlation engine"? Any examples?
Arcsight is the best example, it might be the best tool by far. There
are others... I evaluated them briefly, but they weren't in the same
league.
You can do stuff like feed vulnerability scan results, syslog and
firewall data as well as IDS/IPS activity into the tool, and it can
make intelligent decisions. I'd only recommend this stuff for
enterprises and security firms selling it as a service. It's just not
worth the team required to watch the screens. (2 people, three shifts
+ weekend and holiday shifts + management = ~9-10 staff @ $50k/year +
computers, real-estate, software licensing etc.etc....
=~$600k-$1M/year)
Small business, I'd just suggest keeping things as simple as possible,
automate alerting as much as possible and tighten the firewall rules
to the max. Mid-sized businesses are a more complex problem and
should probably outsource for the service.
I wouldn't be surprised if some kind of SIEM project or event
correlation research is what John's working on :-)
-Mike
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list