|
|
|
Forum Newbie
Group: Forum Members
Last Login: 8/26/2010 2:15:33 PM
Posts: 2,
Visits: 0
|
|
| Hello all
This post is not inteded to only focus on AD Audits, but I didn't see a forum for more generalized IT Audits. Does anyone have any suggestions a good comprehensive source comparing features of various SIEM vendors/products? Just looking to avoid recreating the wheel, if there is already a good source of information out there. Features like... agents - required, optional, or do not exist... sources - what sources can the system collect information from?... native auditing - does the system only use native Microsoft auditing, or does the agent add functionality? scalability, archiving?, throughput (EPS), and possibly even cost/licensing.
Vendors/Products that come to mind (in no particular order): Microsoft - Audit Collection Services (ACS/SCOM) Quest - Change Auditor Quest - InTrust Prism Microsystems - Event Tracker Tripwire - LogCenter Tripwire - Enterprise ArcSight - ESM Splunk - Enterprise Any information or even opinions on various products would be very much appreciated! I realize that not all of these products technically fall into a "SIEM" solution, but most can acomplish similar goals to different scales. Thanks for any feedback! Steve
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Steve, I've always wanted to do that as a project but haven't been able to line the vendors up as sponsors. Maybe I should do it as an independent project and sell the report as a buyers guide like Gartner does. I just don't know how demand and pricing would work out. RFS
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 8/26/2010 2:15:33 PM
Posts: 2,
Visits: 0
|
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| I would be careful about the one from Gartner. I do not regard them as objective and independent.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 12/9/2010 11:47:17 AM
Posts: 1,
Visits: 0
|
|
RSA - enVision
Symantec
CA ELM
Q1 Labs have a strong offering as well.
The challenge with a comparison is that they are not like for like. Some use physical appliances, some use installable code for physical or virtual servers, some mix and match physical and virtual appliances. Some require tier one SAN, others need NAS and some will only work with bespoke hardware. The management interfaces vary greatly from vendor to vendor. Platform support can be a challenge. If you are a windows business with cisco networking and firewalls you are ok. Add in RACF / ACF2, AIX, oracle, DB2, Checkpoint products, end point products and the depth of support varies greatly. One big grey area with all of the vendors is support for new products. If netapp release a new ontap version they vary greatly in how long until they deliver a supported agent or configuration file for it. Go for a new product from a T1 vendor and you then need to engage professional services and that can be $50k upwards and two months minimum!
The biggest single issue I have seen with all of the tools is how slow they are regarding forensic digging where you are looking at a users activities over months and sometimes looking through several hundred million records or well over a billion. None of the systems currently do this in any intelligent manor and the effort to do this sort of search involves many hours of specialists time running dozens of reports covering a few days at a time and them having to collate the results.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/15/2011 1:54:29 PM
Posts: 1,
Visits: 0
|
|
| Hello all, I'm not sure if it is appropriate for me to do this but I work for a firm that also offers a log management solution and I would be happy to share with anyone interested. Thanks, Pat
|
|
|
|