It seems that Vmware does not have a security analytics product. The have Operations Manger which does analytics on performance, anomolies and the like. Log insight can correlate syslog events, but isn't designed for security analytics.
What product(s) might I add to my vCloud Suite for security analytics and how do they integrate with the vCloud Suite in general?
Hello,
Splunk compares better than Log Insight with the content pak, mainly because Splunk is much more mature and the content pak just shows what is available. a full blown SIEM tuned for ESXi may be the better way to go. However, if it is not tuned for the virtual environment, it is about as useful as a can of soup for security purposes. If you are using the SIEM already and have tuned it, that is great. If you have not tuned it and already have the investment, then I suggest you ingest the ESXi and other logs and start tuning it. SIEMs need tuning for various ingests. If you do not have an investment then I suggest Splunk ES or something that is already built to ingest ESXi logs and produce useful data.
Take a look at the content pak, perhaps it has all you need. There is a preso as well going over how it was built and why.
Everything depends on what you currently have is tuned for the Virtual Environment.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
You can take a look at Netwrix Auditor solution for VMware https://solutionexchange.vmware.com/store/products/netwrix-auditor
Hello,
I built a content pack for log insight for security, so yes, the data can be used to do some analytics.If you are a VMUG member you can go to http://www.vmug.com/p/do/si/topic=1397 and download the content pack for your log insight instance. As for a direct package, there are several to look at: Splunk Enterprise Security, etc.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
ok great info thanks. Edward I much appreciate your opinion- Can you give me your opinion on how the security analytics from Splunk enterprise and Log Insight with the additional content pack would compare with IBM qradar SIEM in terms of the maturity, depth and breadth of security analytics provided? Thanks again!
Hello,
Splunk compares better than Log Insight with the content pak, mainly because Splunk is much more mature and the content pak just shows what is available. a full blown SIEM tuned for ESXi may be the better way to go. However, if it is not tuned for the virtual environment, it is about as useful as a can of soup for security purposes. If you are using the SIEM already and have tuned it, that is great. If you have not tuned it and already have the investment, then I suggest you ingest the ESXi and other logs and start tuning it. SIEMs need tuning for various ingests. If you do not have an investment then I suggest Splunk ES or something that is already built to ingest ESXi logs and produce useful data.
Take a look at the content pak, perhaps it has all you need. There is a preso as well going over how it was built and why.
Everything depends on what you currently have is tuned for the Virtual Environment.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Great thanks again