Well... I used to lead the solutions team at ArcSight. I was responsible for building all the compliance and "other" solutions. I have worked with up to ESM version 4.0.
There is no policy engine. It's a rules-engine. And yes, it's one of the best out there, if you want to do real time correlation.
In terms of compliance, it's what they sell as solutions. I am not going to comment on them here. It's what I built in my prior life. They are obviously stellar *grins*.
Sorry for being sparse on details, but I think you understand based on my bias.
-raffy
-- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
On Jan 28, 2008, at 12:19 AM, Reza Kordi wrote:
Raffy, What do you like about ArcSight? The policy engine? Compliance?
Which version of Arcsight did you look at?
Cheers, Reza
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch ] On Behalf Of Raffael Marty Sent: Montag, 21. Januar 2008 18:17 To: swinog@swinog.ch Subject: Re: [swinog] Log centralisation / mining
On Jan 21, 2008, at 3:45 AM, Roman Hochuli wrote:
Hello Raffy
Splunk. Definitely Splunk ;)
Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
I see. A totally unbiased position. ;)
I assumed that was obvious... That's why I also said:
On a serious note, I ...
Reza wrote:
The most professional solution on market is surely EMC/RSA envision, if you see it you won't want to bother with anything else.
I would totally disagree. If you really want to go down that route, ArcSight is the one you want to go for. But again, be clear on what you are trying to do. All of these solutions are slightly different and should match your use.
-raffy
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog