Linux Position at my company

Mike Kallies mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu May 26 16:03:05 UTC 2011


On Wed, May 25, 2011 at 11:39 AM, William Park <opengeometry-FFYn/CNdgSA at public.gmane.org> wrote:
>
...
> Can you expand on "event correlation engine"?  Any examples?

Arcsight is the best example, it might be the best tool by far.  There
are others... I evaluated them briefly, but they weren't in the same
league.

You can do stuff like feed vulnerability scan results, syslog and
firewall data as well as IDS/IPS activity into the tool, and it can
make intelligent decisions.  I'd only recommend this stuff for
enterprises and security firms selling it as a service.  It's just not
worth the team required to watch the screens.  (2 people, three shifts
+ weekend and holiday shifts + management = ~9-10 staff @ $50k/year +
computers, real-estate, software licensing etc.etc....
=~$600k-$1M/year)

Small business, I'd just suggest keeping things as simple as possible,
automate alerting as much as possible and tighten the firewall rules
to the max.  Mid-sized businesses are a more complex problem and
should probably outsource for the service.

I wouldn't be surprised if some kind of SIEM project or event
correlation research is what John's working on :-)

-Mike
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list