Correlate events from Firewalls, IPS and Cisco Routers
That is a really open ended question. I'm not sure you're going to get a ton of responses. When you a talking about utilizing event sources in the correlation engine, you can usually look at it one of two ways:
1. Do I have the event sources that I need to create content that answers question or requirement 'X'?
2. I know that I have data coming from event sources X, Y, and Z. What can I do with it?
It sounds like you are in example two.
What you do with these event sources is ultimately up to you. In the end, it all comes down to values in fields. Look at your data and see what it tells you. Come up with a strategy to wring every last drop of data out of every alert and then find ways that you can throw those values against each other in a way that will either deliver you new, actionable data, or answer a question or requirement that you have.
Justink has a good point there, its a tough question, however correlating events from these devices is certainly possible, check out the protect10 presentation i made called
"evolution of malware detection"
it covers the fundamentals of those technology logs to get to malware.
Where can I find your presentation on "Evolution of Malware"? I was unfortunately not able to attend this years conference due to budget but I am however very interested in this presentation?
Thanks in advance..
I should have mentioned where you could find it...;-)
Go to the protect 10 space on this sit eand look through the lists of presentations, they provided audio as well, there are a number of excellent presentations there which can help you in your correlation quest.