What kind of monitoring tool is the most beloved of the Ops people?
Which indicators need to be monitored? What can I monitor? How far can you monitor it? Perhaps these questions are not even clear to you. First look at the status of the Ops brothers.
1 . Current status of operation and maintenance
The traditional enterprise computer operation and maintenance is to notify the operation and maintenance personnel after the fault is found in the process of using the computer, and then the operation and maintenance personnel take the corresponding remedial measures. Operations and maintenance personnel spend most of their time and energy on simple and repetitive problems, and because of the failure of the early warning mechanism is not perfect, often after the failure will be processed, this situation makes operation and maintenance personnel work often in the passive "fire" state, this passive operation and maintenance mode to the IT department exhausted. How to improve operation and maintenance quality? Can the production department have a satisfactory evaluation of the operations and maintenance department?
At present, we lack clear role definition and responsibility division in the operation and management process, and automated integrated operation and maintenance management platform, so that it is difficult to find the reason quickly and accurately after the problem, and the lack of necessary tracking and recording after dealing with the fault.
2 . Secrets hidden behind traffic
Network interface of the end, the size of traffic, has not satisfied the current operation and maintenance of the need for troubleshooting. We need to make the flow analysis more in-depth and more detailed.
Figure 1 traditional flow monitoring tools look at Appearances
Many exploit attacks, shellcode attacks are mixed with normal traffic into the Enterprise network Layer protection level. To know what is being carried in each packet, the normal camera has failed and requires a more powerful X-ray camera-a protocol analysis that can only be properly understood, shellcode attacks (examples of shellcode and botnet) and various worms.
3. The new challenge of safe operation and maintenance in the era of big data
Operations engineers in the big Data age, the following for a large number of network security events, if there is no effective tools to complete the analysis work, they often face the following challenges:
1) A large number of security alarms appear every day, which makes it difficult for administrators to respond to these alarms.
2) Serious false positives, the administrator can not accurately determine the failure.
3) A large number of repeated, fragmented and irregular alarm, a hacker attack action, will trigger different security equipment in different stages of the alarm, so that the alarm data between the time and space there is a large number of duplicate data, if not to achieve the correlation of security event processing, can not effectively improve the quality of the alarm.
These problems occur in part because enterprises lack operational tools such as event monitoring and diagnostics, because without efficient management tools, it is difficult to proactively and quickly handle failure events. There are many operational monitoring tools on the market, such as the commercial version of Cisco Works 2000, Solarwinds, ManageEngine, and WhatsUp, which focus on fault monitoring, with MRTG, Nagios, Cacti, Zabbix, Zenoss, OpenNMS, ganglia and so on. Because they are not connected to each other, even if you deploy these tools, many operators are not really free from it, because the current technology can get computer equipment, servers, network traffic, and even the database warning information, but thousands of warning messages piled up together, Let people have no way to judge the root of the problem where, the lack of information to screen, data mining ability, in fact, we do not lack of tools, business, or open source also, a grab a lot of, why or use bad? What really is missing is the intelligence of the analytics data.
In addition, we look at a variety of monitoring systems need to log in, see a wide range of interfaces, update management most of the work is manual operation, even if a simple system changes or updates, often need to log on the system, when the number of devices reached hundreds of thousands, its workload can be imagined. Such changes and inspections are often carried out on a daily basis in IT operations, which will undoubtedly occupy a large number of operations resources. Therefore, operation and maintenance workers need a unified integrated security management platform is imminent.
In the past, only a few "technical danale" to fit all have been unable to meet the requirements, enterprises need a secure operation and maintenance platform, to meet the specialization, standardization and process of the need to achieve operational automation management. Because the integrated Monitoring system can detect the hidden trouble in time, proactively tells the user to pay attention to the resources, to perceive the network threat, to eliminate the failure in the bud state. This greatly reduces the workload of OPS personnel, minimizes maintenance time and improves service quality.
4 . Manual integration of open source tools
Now that we can't find the right one, we're integrating common open source tools into a single Linux platform, isn't that the implementation of a unified management platform?
The difficulty of manually integrating open source monitoring system:
1. Software and dependency dependency issues are difficult to solve.
2. The interface repetition verification and interface style problem of each subsystem.
3. Each subsystem data cannot be shared.
4. Cannot implement correlation analysis between data.
5. The report cannot be generated in a consolidated format.
6. Lack of a unified dashboard to showcase important monitoring information.
7. The network risk cannot be detected.
8. Each subsystem maintenance difficulty, increases the operation and maintenance cost.
In practice, it is found that this scheme first encountered performance problems, some scripts consume more CPU and I/O resources periodically, so the real-time data analysis cannot be done. Imagine how many people and the time to develop an unknown monitoring platform?
5 . The choice of integrated secure operation and maintenance platform
A good security operations platform needs to correlate events with it processes, and once the monitoring system discovers performance overruns or outages, it triggers related events and pre-defined processes that automatically initiate failure response and recovery mechanisms. It is also necessary to be able to filter out the operation and maintenance personnel to complete the daily repetitive work, improve operational efficiency. To achieve these functions are conventional monitoring software cacti, Zabbix can not be implemented.
At the same time, it is also required to be able to predict the network worm threat, before the failure can be alerted, so that operations personnel to eliminate the failure in the bud, the resulting losses to a minimum. In general, OPS needs to be able to implement asset management, distributed deployment, vulnerability scanning, risk assessment, policy management, real-time traffic monitoring, anomaly traffic analysis, attack detection alarm, correlation analysis, risk calculation, security event alerting, event aggregation, log collection and analysis, knowledge base, timeline analysis, Unified report output, multi-user rights management functions, the integration of open source tools in the end? Where did it go?
There are currently two products available to meet such requirements, currently on the market, Siem products are mainly hp Arcsight (background hanging Oracle Library), IBM Security QRadar Siem and AlienVault Ossim USM, The problem now is that business Siem Solutions are not missing, and Ossim is the best option in open source software.
A lot of people just superficial think that Ossim just integrates some open source tools into a single platform, disruptive innovations in Ossim are mostly easy to use (easy to install, deploy, ease of usage, almost no scripting), distributed monitoring systems, response threats (OTX), correlation analysis engines, visual attack demonstrations, and more.
AlienVault is divided into open source Ossim and commercial version of USM Two, through this integrated monitoring tool to achieve the user's operating norms constraints and computer resources for quasi-real-time monitoring, including servers, databases, middleware, storage backup, network, security, computer room, business applications and other content, Through the automatic monitoring management platform to achieve fault or problem-based integrated processing and centralized management.
If you do not want to buy expensive commercial software, and do not want to devote a lot of effort to develop, then the implementation of integrated security management platform Ossim is the only choice, today I study hard Ossim project, it is likely that you will do tomorrow.
Well, let's see what Ossim can do for you. Enter
After reading, what is your speech? If you want to learn Ossim, please follow the fourth monograph I will be publishing.
--ossim Best Practices for open source secure operation dimensional plane platform.
What kind of monitoring tool is the most beloved of the Ops people?