What do you use for security monitoring products?

[Sitemon]

I've used aide and tripwire in the past, but looking at some new solutions. OSSEC looks pretty good and someone already commented they were looking at alienvault.com (though looks like you need to use the Pro commercial version to get the good stuff). Any others out there?

[Kevin1981]

I suggest you using a SIEM product to manage all your security issues.

In my experiences, I think you may consider the following things when choosing a great SIEM product:
i) A good SIEM product is a good tool and platform, it should support you in IT standardization of your company.
I think this is the most important thing due to follow your company IT policies. EX: ISO27001, BS25999, ITIL, private policies.. etc.
ii) How many log types a SIEM product supported?
A great SIEM product must supported devices from very different software/hardware vendors, and also it should be in flexibility due to support your customize logs.
iii) How many EPS(event per second) it handled?
Most SIEM product works which is based on database infrastructure. They did realtime dashboard and event correlations all based on database. That caused an issue: poor performance. If you are now in a big site(EPS > 3000), I think database-based SIEM products shoudn't work. in other words, MQ(message queue) based SIEM products might be better.
iv) What is the ability in correlation?
Three point views: time-domain, cross devices and cross sites correlations. Especially in cross devices correlation. We selected valuable information from firewalls, IDS(whatever HIDS/NIDS/LIDS..), vulnerability scanners, asset information.. etc. A good SIEM product should support different type devices due to correlate on valuable data. And it is also important on pattern discovery function.
v) Is it supported ticket systems?
Correlation found some issues and created incidents. The ticket system basically launch workflows for incidents. You can design flows depends on your enterprise policies. So the incident will be processed automatically. So the SIEM collects all valuable logs in front end, do correlations, create incidents and launch workflows, this is a life cycle of SIEM products. I think good SIEM products should support at least one ticket system whatever 3rd party one or embedded.

Gartner annonced a report which was related to SIEM products in 2009. I think you may like it.

[Kevin1981]

HIDS are the past. They are too much of an hassle in a large network. Also, they cause a great deal of false positive alarms, and they are simply not flexible (look at Tripwire, it is a hassle to configure and maintain).

Many HIDS are unusable in a virtual environment and the big hassle is license management. Developers and operations need to deploy and destroy virtual images on the minute, what happens is that you allocate a large amount of HIDS licenses that you don't recover when the operation is destroying the image.

Also, many anti-virus technology has integrated today some kind of HIDS (like for Symantec), even if that is not the best of the breed, it may work at least in the Windows world.

The real pain is also installing the agent. In large DC when you have complex management and different departments responsible for different systems, this becomes a challenge.

What we actually try to do today is agentless scanning. There are vulnerability and compliance scanning solutions like nCircle nCircle | Vulnerability Management & Compliance Audit Solutions , that can even log in to the systems if proper credentials are configured, check for file integrity, and report about configuration changes. This works better in dynamic and complex environment where a near-real-time compliance is sufficient. It probably doesn't if you need a really rigid policy and you want to implement a strictly real-time protection against threat (which is anyway a dream as we all know).

However which solution best apply to you is really dependant on many factors.