Linux Position at my company

John Miles jmiles242-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu May 26 19:07:06 UTC 2011 

Yes - event correlation is an integral part to what we do.
There is then the action one can take on that traffic, and that is also a
very important thing we do.
An then, there is the propagation of what we learn that then immediately
benefits all the other environments we manage.

An interesting part of this whole process the presentation and organization
of the information one obtains.
It is all well and good to detect something and alert on it but some
interesting things had to be done within the alerting mechanisms and
monitoring portals to keep the humans able to digest such a wide range of
notifications. It is interesting; it is almost as hazardous to 'over-alert',
than it is to raise fewer alerts.

Anyhoo - all I can say, is it is a very interesting business to be a part
of, and really awesome how Linux is an integral and permanent part of it.

John.


On Thu, May 26, 2011 at 12:03 PM, Mike Kallies <mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>wrote:

> On Wed, May 25, 2011 at 11:39 AM, William Park <opengeometry-FFYn/CNdgSA at public.gmane.org>
> wrote:
> >
> ...
> > Can you expand on "event correlation engine"?  Any examples?
>
> Arcsight is the best example, it might be the best tool by far.  There
> are others... I evaluated them briefly, but they weren't in the same
> league.
>
> You can do stuff like feed vulnerability scan results, syslog and
> firewall data as well as IDS/IPS activity into the tool, and it can
> make intelligent decisions.  I'd only recommend this stuff for
> enterprises and security firms selling it as a service.  It's just not
> worth the team required to watch the screens.  (2 people, three shifts
> + weekend and holiday shifts + management = ~9-10 staff @ $50k/year +
> computers, real-estate, software licensing etc.etc....
> =~$600k-$1M/year)
>
> Small business, I'd just suggest keeping things as simple as possible,
> automate alerting as much as possible and tighten the firewall rules
> to the max.  Mid-sized businesses are a more complex problem and
> should probably outsource for the service.
>
> I wouldn't be surprised if some kind of SIEM project or event
> correlation research is what John's working on :-)
>
> -Mike
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110526/8769711b/attachment.html>

More information about the Legacy mailing list