In Defense of David Bianco

I'd like to second the post by David Bianco that Sguil is not a Security Information Management (SIM) or Security Event Management (SEM) product. I think Sguil creator Bamm Visscher summarized the issue nicely when he said the following in the #snort-gui IRC channel:

SIMs take in all this information from points a-w, but the value is less than if you'd just grab data from x, y, and z.

I've advocated elsewhere that the garbage (the a-w) shoved into SIMs/SEMs does not necessarily produce a diamond when "correlated," summarized, or otherwise reported. I have advocated the value of simply collecting all logs in one place (log centralization), because logs should never be exclusively stored on a target system. (Bejtlich: "Every system is a future victim." This is a corollary of "Prevention eventually fails.")

Sguil's x, y, and z is alert data from Snort, session data from SANCP, and full content data from a second instance of Snort, or Tcpdump or Tethereal. In my experience performing network security, these are the three indispensible elements of detecting and responding to intrusions. I couldn't imagine doing my job without them, and prior to starting my own company I refused jobs at MSSPs that were unwilling to collect, analyze, and escalate that data.