It also suits (or helped develop?) my thoughts that data is what's important. Event data, session data, virus reports, firewall logs, vulnerability data. Good stuff! This is where my hate for vendors come in, they never work together and they will constantly have a shoddy interface. This is also where my DIY attitude also kicks in.
Tools needed:
- perl
- cron
- your existing toolset
Now, ignore your toolset and concentrate at the data that it provides. Call the vendor and get access to their SQL database. Pull together your session data and correlate that to your IDS events. Then combine that with open source intelligence such as dshield blocklist or where a netblock is registered. And add your own whitelist / blacklist checks. Then pull in your antivirus infections. Setup data to pinpoint where a local machine pysically resides.
I finally got around to writing a portion of this. I am receiving hourly emails on non-us sites that have sessions to my network (flow data). I check these non-us (and US) sites against dshield's blocklist. I count how many connections I've seen, if they are on my own personal white/blacklist, and how many IDS events the connections have made. This is all very actionable data, and it's all in just one table. More will be on the way.
I still need to look into session data from a services/ports perspective. And add in my IDS stats, Antivirus stats, and maybe some web proxy stats just for added fun. In short, if I can aggregate all these feeds into one source a few really neat things happen. The most important is situational awareness. But I can also summarize this data into daily/weekly/monthly reports. That sounds awfully close to being able to trend your posture over time. You may even be able to draw inferences of performance/security/roi with such things.
Mental picture: Your data is a small shiny sphere. You are pac-man.