We are trying to add some open source products to our SIEM tool. My boss wants time estimates on installation and integration with the SIEM tool. I have never installed any of these tools. If you have any other suggestions or comments thanks in advance. It would be nice to know if it helped populate the network model since this is our end goal.
- Microsoft Baseline Security Analyzer
I'd recommend checking out the presentation by myself and Robert McGinley from Protect '11 - https://protect724.arcsight.com/docs/DOC-1907. I integrated nmap, snort, nessus, and ossec in to a previous implementation.
Unfortunately there is no way of producing a time estimate as there are too many variables - e.g., amount of data, number of hosts, number of subnets, completeness of zone creation, configuration of network devices, etc... Based on these, the time could range from a week to a month. Given that you said you've never installed them before, there will be a learning curve as well which will add to the amount of time.
I have some very specific questions on Nmap and populating the network model? I have loaded our network model already (1 year ago) but it is now out of date and needs to be updated. I hope someone can answer the following questions for me:
- 1. Nmap the product has worked for other companies? Or what products have worked for them to auto populate the network model?
- 2. What does ArcSight recommend as a method of continuing to update network model?
- 3. How can I mitigate risks of Nmap based on the experience of others?
- 4. Produce a fact-based estimate of effort to install Nmap (facts from other’s experience).
- 5. How does the smart connector/import work? Do we need to delete our network model and re-import? Will the smart connector do the job or do we need to export a CSV (etc.) from Nmap and import the file into ArcSight?
Thanks in advance,