DK 'Log

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description: