Re: RE: Tivoli Cross-Site for Security (was: RE: Ramping up for anoth er r eview)

[dwhitlow () wend dircon co uk (Dave Whitlow)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Fri, 14 Jul 2000, Lodin, Steven {IT S~Indianapolis} wrote:

> Date: Fri, 14 Jul 2000 09:46:09 -0400
> From: "Lodin, Steven {IT S~Indianapolis}" <STEVEN.LODIN () ROCHE COM>
> To: "'Lustiger, Alan'" <ALustiger () datek com>,
     'Greg Shipley' <gshipley () neohapsis com>, ids () uow edu au
> Subject: IDS: RE: Tivoli Cross-Site for Security (was: RE: Ramping up for
    anoth er r eview)
> My (limited) understanding of Tivoli CrossSite is that it is composed of
> three products:
>  
> Software Distribution using a BackWeb concept
> Performance Monitoring using something similar to Keynote
> Security, which is inititially an Intrusion Detection piece that they
> developed themselves and a future vulnerability scanner
>  
> (Note, the information on the security piece is about a year old, and as a
> result of the product ownership shifting, they might have decided to toss
> out the Do-It-Yourself code and replace it with some industry standard.)
>  
> If you are interested in multi-system log collection and processing, Tivoli
> offers two potential solutions.
>  
> 1) Tivoli Framework, Distributed Monitoring, and Global Enterprise
> Monitoring.  The GEM piece does the system modeling and event correlation.
> 2) Tivoli Risk Manager.
>  
> Like the ISS SafeSuite Decisions product, the Tivoli product is limited in
> the number of unique system types it supports.  The product that I like, at
> the brochure-ware level, is the eSecurity product
> http://www.esecurityinc.com/ <http://www.esecurityinc.com/> .  It supports
> many more different types of security systems and logs.

Steve,

We're looking at the eSecurity stuff right now and it seems worth a look.

IDS solutions suffer from noise, false positives and the risk of tuning
them until they're quiet most of the time.  Trouble is that this can mean
they're no longer useful.

The eSecurity stuff allows us to take the raw data from the various
sources (detectors/sensors/logs etc) and only alert when we get
combinations of events (in near real-time).  Also, it's pretty nice to
only have one security console to look at rather that one for each product
(who looks at them all anyway?).

take this example...

IDS detects a port scan - who cares?
firewall detects an opening connection - may be normal
Web server logs someone logging in - may be normal administration

All three events may be worth attention.

It seems like a product that lets us apply our knowledge of our systems
and policy to spot real security events out of the millions of events we
are detecting and logging.

We'll see how it goes .....

Cheers,

Dave

--
Dave Whitlow
EMail: dwhitlow () wend dircon co uk