Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security Information Management versus Security Network Management

from [Mark Teicher] Network Security [Permanent Link]
Subject: RE: Security Information Management versus Security Network Management applications
Date: Mon, 10 Jan 2005 17:21:06 -0700 
Phil,

Thank you for you reply. For a Security Network Management product refer to Alterpoint solutions. www.alterpoint.com. Some products in this space provide coverage in both definitions, some products that just specialize in Security Information Management are more feature rich as indicated below, and more of the networky management stuff is more leaning toward the Security Information Management, as in can track changes especially when utilized in a MSSP environment, where it is collecting logs from a remote placed device at the customer's premises providing information about other devices on a customer's network other than security issues. Some telecommunication providers are leaning towards a design that can capture non-ip enabled devices and shoot the information across the Internet back to their corresponding network/security operation centers.
Security Information Management systems currently are more based on the common networky/host based solutions and not aimed at network management side of the house.
A false positive on a Voicemail System is much different than Network IDS system alerting on a portscan.

At 09:40 AM 1/11/2005, Phil Hollows wrote: 
All:

Since I work for a SIM vendor, I think it is a mischaracterization of
the sector's value proposition to describe the end results of a
deployment as simply " ... do some basic correlation and produce nice
pretty graphs."

Depending on the SIM - and capabilities / approaches do vary greatly by
vendor - there is a great deal more than "basic" correlation.  For
example, more mature solutions can correlate events with vulnerability
scans (ISSA members can read an article on vulnerability correlation by
Joe Minieri, one of Open's engineers in a recent ISSA journal article,
http://www.issa.org/cgi/journallibrary.cgi?library=2004_November&file_in
dex=0 (ISSA membership required to view) ).  The article reveals a lot
about how much work goes on into mapping vulnerabilities to IDS events.

Other approaches include risk-based analysis of events based on asset
vulnerability, value, attack source and criticality, and other metrics
that you can define.

The point of all this is not merely to put up a pretty graph or two.
The point is to pull the threat signal from the log noise, ideally
before a compromise or DOS has been effected so that you can choose how
and when to manage it.  Result: chase fewer false alarms (and find some
false negatives to boot: we *always* find live security issues that our
customers weren't aware of), focus on the highest risk events, and
ultimately make your organization more secure.

A well implemented SIM allows you to manage all your alerts from a
single front end, integrate with NMS consoles if that's the way your
organizations works, and yes -- get simplified, accurate, business and
security oriented reports that will enable you to explain what happened
to management without either of you getting too great a headache.  Some
SIMs will also allow you to review your risk offline based on
vulnerability scans, so you can target mitigation / VM more precisely.
Simply aggregating events really isn't correlation (if anyone cares I've
a "SIM Semantics" section at open.com which is available w/o
registration at http://www.open.com/resources/insights/SIM-semantics.jsp
- I think there's a lot of confusion (and worse) associated with the
term "correlation" ).

"Security Network Management" is a new term for me (please, no, not
another TLA to add to the SIM / SEM alphabet soup :-)  Pretty much all
SIMs will allow you to automate some degree of remediation if that's
what you want to do.  Some SIM vendors are working to add policy
compliance violation monitoring to their threat dashboards.  You'll find
that all the vendors in the space - including us - have white papers on
compliance issues such as SOX and HIPAA.

I hope this helps

FWIW

Phil Hollows
VP Marketing
OpenService, Inc.
110 Turnpike Road, Suite 308
Westborough, MA 01581
http://www.open.com


-----Original Message-----
From: Mark Teicher [mailto:mht3@earthlink.net]
Sent: Friday, January 07, 2005 4:45 PM
To: firewalls@securityfocus.com
Subject: Security Information Management versus Security Network
Management applications

Is there a big difference between Security Information Management
applications versus Security Network Management applications?  How do
they
work in live environments versus development environments ?  What is the

price point per end device?  Resiliency and Persistence??
A Security Information Management application is an application that can

extract logs from various commercial/non-commercial applications via
SNMP,
syslog or some proprietary format, do some basic correlation and produce

nice pretty graphs.
A Security Network Management application allows entities to manage
their
security applications from one unified front end.  Some Security Network

Management applications sometimes include a vulnerability or security
policy engine to ensure the managed devices are secure or something in
the
policy is compliant with the various compliance policies that entities
must
adhere too.

/thx

/mht

At 06:47 AM 1/3/2005, Shabbar Arsiwala wrote:
>Hi,
>
>We are looking to purchase a VPN Device. We are currently evaluating
the
>CISCO VPN 3000 SERIES CONCENTRATORS. Could anyone suggest any other
brands
>which work equally or better or any other pros/cons etc.
>
>We are looking at
>Approx 100 IPSec Remote Access Users
>Approx 100 Simultaneous WebVPN (Clientless) Access and a
>redundant/expandable solution.
>
>Thanks,
>Shabbar
>
>
>
>
>
>This email and any files transmitted with it may contain PRIVILEGED or
>CONFIDENTIAL information, including CONFIDENTIAL MEDICAL RECORDS OR
>INFORMATION, and may be read or used only by the intended recipient.
If you
>are not the intended recipient of the email or any of its attachments,
>please be advised that you have received the same in error and that any
use,
>dissemination, distribution, forwarding, printing, or copying of this
email
>or any attached files is strictly prohibited.  If you have received
this
>email in error, please immediately destroy it and all attachments and
notify
>the sender (by phone or reply email) and the O'Bleness Memorial
Hospital
>Security Officer (740/592-9380 or security@obleness.org). Thank you.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security Information Management versus Security Network Management applications, Ty Mellon
Next by Date:  Dumb Dumb Question, Brad Davenport
Previous by Thread:  RE: Security Information Management versus Security Network Management applications, Phil Hollows
Next by Thread:  RE: Security Information Management versus Security Network Management applications, Ty Mellon
Indexes:  [Date] [Thread] [Top] [All Lists]