I was just listening to this podcast about security information management (SIM) systems. Tom Bowers from Information Security magazine is talking about various topics in SIM. Unfortunately I have to disagree with Tom on a couple of points, if not more. But let me pick the couple I find most important:
- Visualization is a great tool to see attacks in real-time. However, you can only see where the attacks are coming from and not how many. What? Why would I not be able to visualize that? You can map that to edge size, node size, map it as a color to you nodes, etc. I don’t know what system he looked at to make this statement, but that’s wrong!
- Active Response is something that SIMs cannot do. Well. Wrong again. I could tell you how ArcSight is doing this with the Threat Response Manager (TRM), but that would be a vendor pitch. That’s why I am going to mention SEC, the simple correlation engine. It can execute an arbitrary action. Well, it’s not quantum leaps from there to imagine how you could issue a command to add an ACL to a router for example. To sum up: Active response is something SIMs can do! If you want to know how exactly you do this with SEC, read my chapter on event analysis in the new Snort book.
These were the main points where I disagree with Tom. He could have done a bit of a better job describing the benefits of visualization, but that’s another story.
[tags]arcsight,visualization[/tags]
I completely agree with you Raffy…SIMs can do active response although some do not do it very well. I’m wondering if he meant that you might get burned with active response unless you totally understand how it works prior to enabling it?
I’ve seen situations where people have enabled active response mechanisms only to find that they didn’t exclude core routers from the block list…effectively bringing down their network in the middle of the night.
Comment by Andrew Hay — May 16, 2007 @ 6:33 am
I’m also dealing with SIMs on an daily basis and one of the things I get when meeting new customers is the impact and the risks associated with these products. Very seldom I’ve met somebody to actually let the system update firewalls, acls, etc. They are glad it’s there but nobody trusts a machine to perform security changes automatically 🙂
Comment by Dragos Lungu — May 16, 2007 @ 1:52 pm