Today I discovered the site of alienvault. Alienvault is a Vendor for Security Information and Event Management (SIEM) Software. alienvault ist the creator if the leading Open Source Security Management tool – OSSIM.

After looking around on their site, I’m quite sure, that I – at least – want to try this thing out.

A few informations about OSSIM in advance, taken from their homepage:

AlienVault Open Source SIEM (OSSIM) is a complete Security Management solution that detects and profiles attacks, and provides a comprehensive, intelligent Security Management platform and toolset.

The entire solution is composed of open source distributions including all seamlessly integrated tools, and the security management platform. The OSSIM project was created and is currently coordinated by the founders of AlienVault.

The OSSIM platform consists of a Management Server, and Sensor or “Probe”. A professional version that includes Logger functionality is also available (please see below). The solution may be implemented as a single monolithic appliance or a set of appliances in which probes are separated from the management server, and distributed throughout the enterprise.

Probes capture network and system information in real time, and send it to the central Management Server where the data is analyzed to assess immediate threats and risk, filter out false positives, and locate false negatives that other security devices and software on the network cannot detect.

Probes not only capture data, but can be tasked as sophisticated attack detection components. They come with several attack detection systems, audit systems, and context learning systems (network profiles, inventory, availability), all of which are seamlessly integrated. When deployed in this fashion probes provide a very quick and safe way of continuously and transparently monitoring local and remote networks, providing provide full visibility of all security related aspects of the enterprise.

The information from the organization’s security systems, such as the firewall, antivirus, IPS, HIDS, etc, are all collected through these probes, and then analyzed through sophisticated intelligence technology. This technology correlates data from many sources to detect blended threats otherwise undetectable by individual systems; prioritize these threats; and make automated decisions with regard to the risk implied in each one.

OSSIM provides a complete management, reporting, and security analysis environment including graphical analysis, incident management workflow, and other tools. This system is capable of monitoring the security of globally distributed networks from a customizable, management console. High level, graphical dashboards are used to progressively drill down to the lowest level of detail.

Of course, there is a commercial version as well, the differences between the Open Source and the Commercial version are as follows:

Logger
The Logger allows for storage of large volumes of data while ensuring its admissibility as evidence in a court of law. The Logger provides an additional database specifically geared for massive, long-term forensic archiving. The Logger collects data in its native format, digitally signs and time-stamps the data, and securely stores it preserving data integrity; whereas the SIEM database is designed for the rapid and versatile analysis required for attack detection and response.

Scalability
AlienVault Professional SIEM allows for both horizontal and vertical load distribution. Horizontal distribution of security information is useful for high performance and high availability configurations. This architectural flexibility also enables highly customizable and scalable management scenarios.

For example, groups of management servers may be organized to create multiple hierarchies of management servers. This sort of architecture facilitates monitoring of large, distributed networks and makes it possible to create various levels of correlation and storage. Each of these hierarchies can then be rolled up into a global view that serves as a central console from which activity on any part of the network can be seen at any time down to the smallest detail.

Performance
AlienVault Professional SIEM is capable of handling very large volumes of data. The engineering team at AlienVault has structured system architecture with multiple optimization and load distribution layers so that the AlienVault Professional SIEM now offers 30 times the performance of OSSIM for any traffic type.

Accountability & Reliability
AlienVault Professional SIEM provides for greater accountability than OSSIM for those organizations that require commercial open source licensing. The commercial license, backed by AlienVault, is accompanied by a comprehensive commercial support and version maintenance offering at extremely competitive rates.

Both OSSIM and AlienVault Professional SIEM are thoroughly tested by AlienVault and the extensive OSSIM community. However, just as with all free open source products, new OSSIM versions that are not entirely stable may at times be released for testing purposes whereas only the most exhaustively tested versions of AlienVault Professional SIEM, which have been vetted for reliability and stability are released to market.

I wil try this thing out and tell you my opinion …….

Share on Facebook