[c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
Peter Rathlev
peter at rathlev.dk
Tue Feb 3 15:46:53 EST 2009
On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote:
> Does anyone have some input on security event correlation systems?
>
> Currently reviewing Cisco MARS vs. Q1 Labs QRadar.
We have a MARS-110 and I must frankly say I'm not impressed. The system
needs a _lot_ of training to be useful and the built in templates aren't
worth much in my eyes. (We've had 10 people take the "MARS" training
course and even then only a couple of us find it at most marginally
useful.)
My personal conclusion is that a combination of SEC, NFsen and a few
scripts parsing logfiles etc. are an easier, cheaper and better way of
accomplishing event correlations. It's (relatively) easy to do the
visualisations in a similar way to what MARS does by feeding GraphViz
with input from either CDP (L2-topology) or your IGP or BGP
(L3-topology).
Of course this means you have to love using these tools and you need to
have several people on staff with the relevant skills. CS-MARS could be
the right thing as an "almost turn key" solution.
> Environment information:
> Very large DMVPN, IPS's, FW's, CSM.
The integration from CS-MARS towards many other Cisco products would be
the one maybe strong point.
I'd say let the people having to work with it make the decision. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list