Friday, December 26, 2008

Differentiation of Log Management Solutions

Question:
Centralized Log Management
I'm look for an enterprise log management solution, which can collect log of various network devices, servers(primarily windows servers). The purpose of the same is primarily for complaince. eg:- detecting security issues, troubleshooting etc. I have read lot of articles, but haven't found a good document containing technical differentiation of the various Log Management products on offer. I require your professional suggestion on the subject.
Rgds
xxxxxx


Answer:
xxxxxx,
Here is a good start if you are looking for high level documents:
http://www.securitynews.cz/secnews/security.nsf/0/D328A8B95CC377A2C12572EF0069DF63/$file/Gartner_MQ.pdf

http://www.sans.org/score/esa_current.doc


On the technical site I would check the following areas with the solution provider:
1- Compatibility (which products are officially supported as the log source)
2- What are the event aggregation/consolidation/normalization and correlation options
3- What if the log source is not supported? How easy is it to integrate?
4- How is licensing? When the deployment is distributed, and you have remote event collectors how does it work? (per event, per core, per site etc)
5- What are the out of the box reports? (Ask for actual reports, do not just say yes to report names, do not just buy in ISO 27001 or PCI report are ready sales pitch)
6- How do you configure custom reports? Easy?
7- Do you have role-based management? Integration with LDAP, AD et al?
8- How do you integrate with other enterprise tools? Ticketing? GRC? Workflow etc? Easy?
9- Do you baseline data for anomaly detection? Do you support flow data analysis?
10- Can you get the solution in SaaS or fully managed MSSP format?
11- How do you scale?
12- How do you integrate with 3rd party storage solutions?
13- Is it more difficult than Google when you run a search?
14- How many people are required to run the operations? How many people are required to deploy it? Do you have formal training classes?
15- How do you maintain high availability? (Esp when you have multiple levels of agregation
16- Is it possible to store/analyze raw network traffic?




As discussed above and in other previous posts there are several "commercial" solutions to manage log data win servers, network equipment, UNIX servers, security devices etc. Depending on your requirements and event sources, the solutions may vary. I personally work with RSA Envision (formerly Network Intelligence), Cisco MARS, Loglogic, Q1 Labs and eIQ Networks but there are many other solutions. (e.g. IBM, CA, Novell, Arcsight, Intellitactics, NetForensics, TriGeo, Symantec, Quest, Consul, SenSage, and OpenService) In the meantime Nortel, Juniper and Enterasys have Q1 based offerings as well.
If you look at just the logging manager, you can extend solution set with LogRhythm, Splunk, Snare and Kiwi Syslog Daemon.

If you have a specific question let me know,
cheers,
- yinal


Why GRC does not stick?

GRC in IT field is supposed to be next best thing. But why is it not here yet?

The term IT-GRC is not a fabricated name. It is a real world response to an existing requirement which has evolved within the right steps: At the beginning there were only simple logs and policies, then came the tools, methodologies, and integrated solutions under the SIEM name. SIEM wasn’t enough, we needed a solution set for managing governance risk and compliance together, and then we had the IT GRC.

IT-GRC has all the good signs of the next killer solution, but why it is not mainstream? Many people including myself ask the same questions..

I would like to use the analogy in a very popular business book “Made to Stick” by Chip and Dan Heath.

Here is the book’s outline: The acronym "SUCCES" (with the last s omitted) abbreviates the ideas that stick... Each letter refers to a characteristic that can help make an idea "sticky":

Simple — find the core of any idea … First of all GRC has 3 cores (like an odd Intel processor) and each core points at different directions and groups in IT organizations. While we have difficulty in finding the the core of Governance, Risk of Compliance, we need the interpret all 3 cores together. Nobody can claim the presenting the core of GRC idea is simple (with the exception of funny SAP people who think GRC is SoD)

Unexpected — grab people's attention by surprising them. GRC is not surprising. We have been waiting for such a solution for years, there were simply not enough drivers for a commercial one. Within the name of toolkits, methodologies everybody had a hodgepodge workflow; at the end who beats a nice combination of excel, word and lately sharepoint documents :) . An organized solution such as IT-GRC that can tie into the governance of IT processes risk and compliance was always a project in progress. Luckily some vendors delivered much better organized solutions. But at the end of the day it was not surprising.. When I make a presentation on GRC, the first question that I get it (Can I buy a tool that delivers what you telling about?) The question is wrong of course but it steals all the “unexpected beauty of the solutions sets

Concrete — make sure an idea can be grasped and remembered later. No it won’t be remembered easily even if Gartner says so. GRC covers a broad area, and it is not easy to find individuals who carry the responsibility and the attention span for all the GRC solutions.

Credibility — give an idea believability. GRC is too good to be true. Since it is new in the IT field, credibility is not easy. Many of the vendors will oppose to this statement, but it is difficult to give credibility to a toolset where the implementation and the operational details of specific customers carry a higher role. Like ERP deployments, IT GRC deployments have to be unique for every operation. Toolsets require deployment and they need to be supported by management and operation teams. Credibility will eventually show up with the maturity of the solutions. There are some vendors out there with great customer names, which may form a good start.

Emotion — help people see the importance of an idea. The emotion was lost for most of the IT with the departure of the dot-com companies. But it is not difficult to create the emotion where governance can positively change the bottomline of the operations. I think this is a matter of time

Stories — empower people to use an idea through narrative. I can tell stories about the firewalls we built in 1994. GRC needs more stories. IT GRC is new, and our stories are limited, a search on Amazon ends up with SAP Oracle and the business side of old world GRC. IT GRC stories are not fully published yet.

It will stick at some point, but hopefully no too late.
cheers,
- yinal