VMware Cloud Community
TheVMinator
Expert
Expert
‎01-14-2015 12:54 PM
Jump to solution

VMware Security Analytics

It seems that Vmware does not have a security analytics product.  The have Operations Manger which does analytics on performance, anomolies and the like.  Log insight can correlate syslog events, but isn't designed for security analytics. 
What product(s) might I add to my vCloud Suite for security analytics and how do they integrate with the vCloud Suite in general?

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎01-15-2015 06:43 AM
Jump to solution

Hello,

Splunk compares better than Log Insight with the content pak, mainly because Splunk is much more mature and the content pak just shows what is available. a full blown SIEM tuned for ESXi may be the better way to go. However, if it is not tuned for the virtual environment, it is about as useful as a can of soup for security purposes. If you are using the SIEM already and have tuned it, that is great. If you have not tuned it and already have the investment, then I suggest you ingest the ESXi and other logs and start tuning it. SIEMs need tuning for various ingests. If you do not have an investment then I suggest Splunk ES or something that is already built to ingest ESXi logs and produce useful data.

Take a look at the content pak, perhaps it has all you need. There is a preso as well going over how it was built and why.

Everything depends on what you currently have is tuned for the Virtual Environment.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
5 Replies
Netwrix
Enthusiast
Enthusiast
‎01-15-2015 01:26 AM
Jump to solution

You can take a look at Netwrix Auditor solution for VMware https://solutionexchange.vmware.com/store/products/netwrix-auditor

Texiwill
Leadership
Leadership
‎01-15-2015 04:55 AM
Jump to solution

Hello,

I built a content pack for log insight for security, so yes, the data can be used to do some analytics.If you are a VMUG member you can go to  http://www.vmug.com/p/do/si/topic=1397 and download the content pack for your log insight instance. As for a direct package, there are several to look at: Splunk Enterprise Security, etc.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
TheVMinator
Expert
Expert
‎01-15-2015 06:00 AM
Jump to solution

ok great info thanks.  Edward I much appreciate your opinion-   Can you give me your opinion on how the security analytics from Splunk enterprise and Log Insight with the additional content pack would compare with IBM qradar SIEM in terms of the maturity, depth and breadth of security analytics provided?  Thanks again!

0 Kudos
Texiwill
Leadership
Leadership
‎01-15-2015 06:43 AM
Jump to solution

Hello,

Splunk compares better than Log Insight with the content pak, mainly because Splunk is much more mature and the content pak just shows what is available. a full blown SIEM tuned for ESXi may be the better way to go. However, if it is not tuned for the virtual environment, it is about as useful as a can of soup for security purposes. If you are using the SIEM already and have tuned it, that is great. If you have not tuned it and already have the investment, then I suggest you ingest the ESXi and other logs and start tuning it. SIEMs need tuning for various ingests. If you do not have an investment then I suggest Splunk ES or something that is already built to ingest ESXi logs and produce useful data.

Take a look at the content pak, perhaps it has all you need. There is a preso as well going over how it was built and why.

Everything depends on what you currently have is tuned for the Virtual Environment.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
TheVMinator
Expert
Expert
‎01-15-2015 07:27 AM
Jump to solution

Great thanks again

0 Kudos