Rolling your own SIM

Rolling your own SIM

I have been looking at pay-to-play security information management tools. Reviewed Q1Labs Radar, Cisco Mars, and Novell’s offering. The costs are tad high, particularly when a lot of the basic collections I can do with WMI scripts and C# code.

OSSIM (Open Source Security Information Management) is another option that I am looking into. Or maybe I will roll my own. Here are the key tools:

Hosts:

Log monitoring: Kiwi syslog, Snare
Signature-based analysis: Nagios, OSSEC
Vulnerability assessments: Nessus

Networks:

Local monitoring: Arpwatch
Signature-based analysis: Snort
Statistical-based analysis: Spade

Correlation:

Splunk
SQL Server 2005 SSRS and SSAS

Code or configure? Where is the best return for my time? I wager rolling my own will be a good learning experience. The money saved can then be invested in training materials and resources. Further, any analysis and cleanup will not go to waste if I change course. An off-the-shelf SIM tool will plug into a cleaned up network just as easily as it would into a unmonitored network, if not easier. I am going to keep tinkering for the time being.

That sums up my thinking at the moment.

Posted by