Disclaimer: The views expressed in this article are those of the author, and not his employer, management or fellow employees.
Having worked in information security and in the IT field for 20 years, I'm struck with the frequency that systems designed to assist us end up becoming a sink hole for time, money and energy.
Lofty goals often result in the purchase of massively complicated systems with vast ranges of capabilities that should work and perform as the salesman says. Unfortunately the systems that attempt to be all things to all people are often useful things to very few people and a major pain in the butt to everyone else.
Today I'm advocating the selection of a few simple tools to cover what is needed.
Don't try to combine log archiving and event correlation network monitoring. It's just too cough to be effective. RSA envision tries and fails and Arcsight is only for the rich.
Archive your logs by all means but don't presume that this is easily harvested and turned into events and dashboards and monitoring.
If your goal is network monitoring, then select a network monitoring tool, like net witness or the cheaper Trisul. See the events from the wire and not from logs from the past.
That's all I have to say on this for now.
KISS - keep it simple stupid,
And avoid the Epic Fail.
S. Russell Dyer
BS CNE CISSP CRISC Security+ CICP
I.T insider, Former Network Engineer, and Security Analyst.
No comments:
Post a Comment