mailing list archives
Re: SOC common/best practise?
From: CP Constantine <conrad () 1211 net>
Date: Thu, 22 Jul 2010 01:10:56 -0400
On 7/21/2010 4:41 PM, k41zen Me wrote:
3) Not enough information about the alert being sent to the correlation engine?
largely, this (in my not so humble experience).
Security decisions are largely driven by context. Log correlation is
largely about providing context via corroboration. But log entries
themselves rarely contain actual information, they contain summaries of
The system I've been building for our CIRT, takes the correlated alerts
as a driver, and then hooks back to the controls those logs came from,
to extract and collate the source data into an complete incident report
that has the entire contextual dataset to give that 'at a glance' big
picture case file to work from. Then it goes and adds asset/org/tech
data for the entities present, to bring that case file into the light of
business process context as well.
Correlation engines are 'just another security control' - they're a good
hub control to tie other controls together, and produce context via
corroboration between controls as an initial driver for response action,
but they still aren't the end product to the workflow chain. (yet).
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com