One topic causing considerable “buzz” among my students is what product will eventually replace the Cisco MARS appliance, declared End-Of-Sale late in 2010. The need for effective Security Information and Event Management (SIEM) solutions increased, if anything, over the approximate 5-year time span MARS was offered. This post presents some alternative solutions.
Before I talk about specific hardware devices, let’s discuss some criteria for deciding on a replacement. A good “first start” is to examine the positive attributes of the MARS appliance as a standard of comparison:
I — Ability to Collect Multiple Message Types
MARS can collect syslogs (UDP or TCP), SNMP Traps, NetFlow messages, Windows logs via RPC, and IPS alerts while also being able to continually poll Cisco devices for resource utilization.
II — Customizability
Through the use of user-defined Custom Parser Templates, MARS can create incidents from previously unknown event types.
III — Scalability
By using the distributed deployment of one Global Controller and multiple Local Controllers, a previously implemented standalone appliance can be expanded to include multiple sources, each with differing security policies and logging requirements.
Now that the bar’s been set, let’s examine some of the more publicized options. First, Chris Durkin, manager of the Unofficial MARS Blog has both a two-part product review and an advertisement for Accelops, a virtual machine-deployed intentional MARS substitute. I use the word “substitute” here because the original Protego Networks founding members started this organization and endeavored to expand both functionality and ease-of-use beyond the current capabilities of Cisco MARS.
Critical Capabilities for Security Information and Event Management Technology and Magic Quadrant for Security Information and Event Management and Magic Quadrant for Security Information and Event Management from Gartner show a comparison between multiple vendors. In this list are three products I heard about from a number of students, and the feedback I received is consistent with the Gartner white papers:
- Q1Labs QRadar: a comprehensively capable product along the lines of the first criteria, the ability to collect multiple message types.
- NitroSecurity: can be used in large environments to satisfy scalability
- LogRhythm: has ease-of-use that allows for quick deployment. While I didn’t mention that as an attribute, I can easily see how today’s short-staffed IT departments consider that to be important