In this post, the idea is to propose some important questions that we can use to help choosing the right solution. There are questions regarding technical and non-technical aspects as, for example, support, training, user interface, etc. Using this questionnaire it's possible to prepare a scorecard to obtain a best comparison. We can assign the following values: 0 for Absent, 1 for Limited Functionality, 2 for Complete Functionality and 3 for Exceeded Expectations.
- How many pre-existing parsers does the solution have (this is very important so it will be not necessary to develop new parsers to extract the log content)?
- How easy for creating new parsers?
- User Interface (intuitive? easy to operate?)
- Ability to collect events (volumetry)
- Storage of events (compression, file system type, external storage, cryptography)
- Event correlation process (is it easy to create correlation rules?)
- Normalization of logs
- Solution scalability (architecture, collectors, databases etc)
- High Availability
- Security in the communications between the components of the solution
- Reports (pre-existing, customization, compliance reports)
- Position in the Gartner's quadrant
- Ticketing system integration (integration with Remedy, for example, or an internal ticketing framework)
- Is it possible to filter events at the collectors (without sending some type of events to the infrastructure)?
- Possible to correlate information from IDS/IPS with Vulnerability Scanners?
- Possible to segregate functions inside the console?
- Technical support (other language options: portuguese/spanish/french/etc?, 24x7? SLA's?)
- Training (localized training?)
Posts
