Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What third party security monitoring solutions are used to collect data from the Sophos database?

VCU

Hi Everyone,

We are looking into a third party security solution that will collect data from across the netowrk as well as the Sophos Management console. The names vary but I'm interested in whether anyone else has used security application to analyze the information coming from the Sophos management console. If so how did the Sophos management console perform with the attached load on the security collector?

Cisco's MARS

QRadar

NitroSecurity SIEM

ArcSight SIEM

These are applications at do real time querying against the Sophos database.

Thanks,

VCU

:7783


This thread was automatically locked due to age.
  • 0

    Hi,

    Whatever you choose, the main concern would be over table locking I would think and the impact that would have on the management services ability to perform its operations.  Excessive queries could result in slower messaging process and a slightly less responsive SEC. Of course If you have a dedicated SQL box you can probably expect less problems than if you use SQL Express on the same machine and all the resource constraints that night place on SQL but even then it depends on the number of machines being managed and general churn in the system.  Dedicated disks for the data and logs etc, will help to bring down the SQL query durations which in turn is less likely to lead to issues especially under load.  

    I would suggest when introducing any additional load on the SOPHOS database, it would be worth using SQL Profiler to measure the durations of queries being made and how they might affect those already running.  I would imagine all of the tools you mention are mindful of not hammering a database for reporting purposes and all can be monitored in SQL Profiler to see the extent of their queries.

    Ultimately it's all down to how aggressive the queries need to be to provide the level of real-time information you need.and the scope of those queries.  I would suggest start in a conservative manor and build up over time.  

    If the queries are going to be very expensive you could possibly set-up some SQL replication to send the data from the Sophos database to another database that you could then query without risk of affecting the performance beyond hit imposed by SQL transactional replication.  Or even a backupdb.bat to export and restoredb.bat to restore the data to another SQL instance that could be queried essentially in off-line mode but it sounds like you want something more real-time than this.

    In addition to that I believe that there is shortly to be a supported interface to the Sophos SEC database for such tasks in an effort to standardise custom queries.  This will consist of an interface of SQL views that can be queried to access information one might want in a report.  There is also to be a Windows service released at the same time apparently which will dump out custom data feeds as text files (as defined by the admin) for tools such as Splunk to be able to read in and index.  So Splunk might be one you may wish to consider.

    Hope this is helpful.

    Jak

    :7795
    Unfiltered HTML