ossim - AlienVault
ossim - AlienVault
ossim - AlienVault
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.3 Centralization and Normalization<br />
Normalization and centralization (or aggregation) are aimed at unifying security events from all<br />
critical systems throughout the organization in a single format on just one console.<br />
All security products normally have a capacity for centralized management using standard<br />
protocols; hence, aggregation is simple using these protocols. In OSSIM we attempt to avoid<br />
regular use of agents and instead use forms of communication that are native to systems.<br />
Normalization requires a parser or translator familiar with the types and formats of alerts coming<br />
from different detectors. We will need to organize the database and adapt the forensic console<br />
in order to homogenize processing and display of all these events.<br />
That way we will be able to observe all security events for a particular moment in time—whether<br />
they come from a router, a firewall, an IDS, or a UNIX server—on the same screen and in the<br />
same format.<br />
When we have all network events centralized in the same database, we achieve a considerably<br />
comprehensive view of what’s going on throughout the network, which, as we will see shortly,<br />
allows us to develop processes that enable us to detect more complex and widely dispersed<br />
patterns.<br />
13