I have been looking at pay-to-play security information management tools. Reviewed Q1Labs Radar, Cisco Mars, and Novell’s offering. The costs are tad high, particularly when a lot of the basic collections I can do with WMI scripts and C# code.
OSSIM (Open Source Security Information Management) is another option that I am looking into. Or maybe I will roll my own. Here are the key tools:
Hosts:
Log monitoring: Kiwi syslog, Snare
Signature-based analysis: Nagios, OSSEC
Vulnerability assessments: Nessus
Networks:
Local monitoring: Arpwatch
Signature-based analysis: Snort
Statistical-based analysis: Spade
Correlation:
Splunk
SQL Server 2005 SSRS and SSAS
Code or configure? Where is the best return for my time? I wager rolling my own will be a good learning experience. The money saved can then be invested in training materials and resources. Further, any analysis and cleanup will not go to waste if I change course. An off-the-shelf SIM tool will plug into a cleaned up network just as easily as it would into a unmonitored network, if not easier. I am going to keep tinkering for the time being.
That sums up my thinking at the moment.
Posted by