DK 'Log

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

Some time ago, earlier this year, I had the opportunity to attend to a conference where one of the leading SIM vendors (according to gartner's magic quadrant at least) talked about their product. Although my opinion will always be biased and I tend to compare all that I see on this area with OSSIM, I also believe that I've got a solid base to judge others.
Anyway, since I know myself and making a review comparing more than five years of work with a 5 hour demo and some document browsing isn't fair, I won't say the name of this product.