I'm here to ask a particular question which is regarding integration of IBM guardium with the SIEM technology. The case that I have , is one where Guardium is already operational for about 1 year now and has got logs both from s-tap agents as well from network tap as well.
Those logs / events are stored in SAN storage, Does anyone have anything to say on the point where such events are to be exported to SIEM for correlation purposes. Are there any concerns which I should be aware before trying to pull off this integration scenario. The particular siem I'm referring to is Q1 radar.
For one obvious point, I see that if I had guardium appilance in place I can always pull logs from the box using syslog, or better through universal feed method , but what I see in my case that my SAN storage has uncorrelated logs, not all events are required to be sent to the Q1 in my case; How would i filter logs at the SAN storage level, It's not the same as regex / or filters based upon events contents.
I know the management would love to see some sense or real value from the integration like the 1 year db log to suddenly become more tangible and interesting. Its really hard to develop correlation rules based upon past data you don't have time on your side.
I just like some reasoning, and recommendation on the topic.