tag:blogger.com,1999:blog-6690994337395244641.post5715721665931898579..comments2007-03-29T16:02:42.749-05:00PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6690994337395244641.post-77404151499136718132007-03-29T16:02:00.000-05:002007-03-29T16:02:00.000-05:00<B><I>"SIM can be useful for incident response, BUT ONLY IF YOU DON'T MESS WITH THE RECORDS. Any kind of normalization, data reduction or anything else is a no-no. You mess with the data, it ceases to be evidence."</B></I><BR/><BR/>If you want evidence to be "court-ready," then having access to the originals is necessary. But chomping logs - or more accurately, copies of logs - and inserting them into a database doesn't render them useless. Far from it. But maybe we're missing eachother on semantics here. For instance, from my SIM console I can open a single IDS alert and view the original payload in hex or ascii. So maybe it's all about depth of features. <BR/><BR/>My point, in case I buried it in my original rebuttal of your article, is that SIM can streamline incident response and investigation by putting lots of data from different platforms and sources in one place where it can be searched and compared. But also, your company's log data and operating environment are different enough that you can't buy a SIM that will find all the jewels and only jewels without some work on your part.<BR/><BR/>And I enjoy very much the dialog on this topic. Let's do it again some time. :-)PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.comtag:blogger.com,1999:blog-6690994337395244641.post-63849744339161317192007-03-28T09:55:00.000-05:002007-03-28T09:55:00.000-05:00I don't know any Mr. Rothman. Folks just call me Mike. :-)<BR/><BR/>Thanks for the comments and the dialog. In a roundabout way, you validated the point I am making about SIM. It doesn't solve the customers problem. At least not the problem that the folks that sell the solution think it does.<BR/><BR/>And most SIM packages mess with the log data. That's a no-no when you are undertaking an investigation. To me that's the difference between a log management offering and a SIM.<BR/><BR/>Paul, it's not about winning or losing. It's about having a good dialog.<BR/><BR/>Mike.Mike Rothmanhttp://blog.securityincite.comnoreply@blogger.com