Part 2: The Console
I’ll work the Leap Motion into it later.
After reading the Endpoint Security Management Buyers Guide, it became clear that there is a need to provide a centralized console to consolidate security events for managed assets.
By the time this project is finished, we’ll have plenty of probes/sources of data, like an anti-virus server, a distributed HIDS (OSSEC), a NIDS (snort+sguil+squert+snorby), a syslog filter (sagan), a workstation policy engine (group policy), a patch management console (WSUS), and a configuration management engine (Foreman+RunDeck+Puppet, FOC for golden base-builds), etc. Plus, we may be using Redmine’s RESTful API to be our primary dump for a ticket queue (an escalation point).
I’ll start by working through OSSIM, and hopefully not run across anything distasteful in the process. (Prelude and ACARM-ng are looking pretty nice for correlation as well). Remember sguil is not a SIEM.