Home page logo

basics logo Security Basics mailing list archives

Logging Archival Solutions?
From: jplee3 () yahoo com
Date: 27 Aug 2007 16:46:02 -0000

Hi all,
   Just wondering what your takes are on the logging solutions out there. Specifically as regards to PCI DSS. I know 
there are a TON of companies focusing their efforts on helping fulfill req 10 and audit trails. It seems like there are 
quite a few out there who can effectively correlate and perform forensics on log data. My concern is that it still 
seems there is a hole or something missing in the overall picture.

Obviously, we're not all going to be monitoring these log servers/appliances 24/7 (unless you hire people to do 24/7 in 
shifts), so what if an attack (i.e. brute force ala TJ Maxx) successfully occurs over the weekend or when someone ISN'T 
watching or tending to their cellphone/pager/email/etc for whatever reason? 
Yes, the logging appliance will capture the attack and record it, but assuming no action or intervention was taken, by 
that time the system(s) will have been compromised.

So again, it seems like many companies are focusing in on the forensics aspect, which I believe is important, 
especially in court. But what about doing more actively to prevent attacks?  What about automated remediation and 
active response?

I'm trying not to be biased here, but the only company I've seen who has taken big steps towards this is TriGeo. Has 
anyone else here heard of them? Or have any experience using their solution? I've only sat in on a demo and have read a 
bunch of whitepapers, and most other SIMs/logging solutions/etc pale in comparison. 
It just seems easier/less confusing to use overall. I've also sat in on Cisco MARS, CSA, and RSA EnVision demos and 
wasn't nearly as impressed with any of these solutions. 
CSA, potentially coming the closest in terms of endpoint security/policy enforcement, seems interesting, but not nearly 
as flexible or powerful in terms of policies, rule sets, and automated defined responses per a specific action.

I'm just trying to get a sense here from what others have done, but it seems hard to find a good amount of people who 
can or are willing to share. Maybe it's because most of us are still working at it and have the same questions I do, or 
haven't even thought of it yet (in which case: you better get on it!). Or is it because many people are just secretive 
about the whole thing? I guess I could understand why if so... but why not just tell us a) what you're using, and b) 
why you like it - I don't see anything that could jeopardize your company in providing such information.

Oh well, I'm really trying to push TriGeo with my managers but I've been finding it difficult. They're partial to Cisco 
MARS/CSA because we already have a Cisco contact/sales engineer and outside consultants who also strongly advise mostly 
Cisco stuff. I just think most people here are deep into the Cisco mindset. So sometimes it's  hard thinking outside 
the box. 

Any opinions would be greatly appreciated.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]