[c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors

Peter Rathlev peter at rathlev.dk
Tue Feb 3 15:46:53 EST 2009


On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote:
> Does anyone have some input on security event correlation systems?
> 
> Currently reviewing Cisco MARS vs. Q1 Labs QRadar.

We have a MARS-110 and I must frankly say I'm not impressed. The system
needs a _lot_ of training to be useful and the built in templates aren't
worth much in my eyes. (We've had 10 people take the "MARS" training
course and even then only a couple of us find it at most marginally
useful.)

My personal conclusion is that a combination of SEC, NFsen and a few
scripts parsing logfiles etc. are an easier, cheaper and better way of
accomplishing event correlations. It's (relatively) easy to do the
visualisations in a similar way to what MARS does by feeding GraphViz
with input from either CDP (L2-topology) or your IGP or BGP
(L3-topology).

Of course this means you have to love using these tools and you need to
have several people on staff with the relevant skills. CS-MARS could be
the right thing as an "almost turn key" solution.
 
> Environment information:
> Very large DMVPN, IPS's, FW's, CSM.

The integration from CS-MARS towards many other Cisco products would be
the one maybe strong point.

I'd say let the people having to work with it make the decision. :-)

Regards,
Peter




More information about the cisco-nsp mailing list