{"id":93,"date":"2007-05-15T20:11:06","date_gmt":"2007-05-16T01:11:06","guid":{"rendered":"http:\/\/raffy.ch\/blog\/2007\/05\/15\/fact-or-fiction-the-future-of-sims\/"},"modified":"2007-05-18T11:09:41","modified_gmt":"2007-05-18T16:09:41","slug":"fact-or-fiction-the-future-of-sims","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2007\/05\/15\/fact-or-fiction-the-future-of-sims\/","title":{"rendered":"Fact or Fiction: The future of SIMs"},"content":{"rendered":"<p>I was just listening to this <a href=\"http:\/\/searchsecurity.bitpipe.com\/data\/mp3Player.do?res_id=1174224869_973\">podcast<\/a> about security information management (SIM) systems. <span class=\"resName\">Tom Bowers<\/span> from <span class=\"resJob\">Information Security magazine is talking about various topics in SIM. Unfortunately I have to disagree with Tom on a couple of points, if not more. But let me pick the couple I find most important:<\/span><\/p>\n<ul>\n<li><a href=\"http:\/\/secviz.org\">Visualization<\/a> is a great tool to see attacks in real-time. However, you can only see where the attacks are coming from and not how many. What? Why would I not be able to visualize that? You can map that to edge size, node size, map it as a color to you nodes, etc. I don&#8217;t know what system he looked at to make this statement, but that&#8217;s wrong!<\/li>\n<li>Active Response is something that SIMs cannot do. Well. Wrong again. I could tell you how <a href=\"http:\/\/www.arcsight.com\">ArcSight<\/a> is doing this with the Threat Response Manager (TRM), but that would be a vendor pitch. That&#8217;s why I am going to mention <a href=\"http:\/\/www.estpak.ee\/~risto\/sec\/\">SEC,<\/a> the simple correlation engine. It can execute an arbitrary action. Well, it&#8217;s not quantum leaps from there to imagine how you could issue a command to add an ACL to a router for example. To sum up: Active response is something SIMs can do! If you want to know how exactly you do this with SEC, read my chapter on event analysis in the new <a href=\"http:\/\/www.amazon.com\/Intrusion-Detection-Prevention-Toolkit-Security\/dp\/1597490997\/ref=pd_bbs_sr_1\/104-4973387-4064740?ie=UTF8&amp;s=books&amp;qid=1179276929&amp;sr=1-1\">Snort<\/a> book.<\/li>\n<\/ul>\n<p>These were the main points where I disagree with Tom. He could have done a bit of a better job describing the <a href=\"http:\/\/secviz.org\/?q=node\/72\">benefits of visualization<\/a>, but that&#8217;s another story.<\/p>\n<p>[tags]arcsight,visualization[\/tags]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was just listening to this podcast about security information management (SIM) systems. Tom Bowers from Information Security magazine is talking about various topics in SIM. Unfortunately I have to disagree with Tom on a couple of points, if not more. But let me pick the couple I find most important: Visualization is a great [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,2],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-security-information-management","category-visualization"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":0,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}