Security Basics mailing list archives
RE: Logging Archival Solutions?
From: "Ahsan Khan" <jahilkhan () verizon net>
Date: Tue, 28 Aug 2007 14:43:15 -0400
Hi, It depends what you want to achieve by implementing a log collection solution. A SIM Device like RSA solution will Collect all the data as fast as possible (may be faster then other products in the market) but may not create a relationship between an attack happening to MS windows server where packet is traveling from a Cisco router to a switch to a server. Normally if ones Edge Devices / Firewalls are from a single Vendor and servers and other devices are from others it's a good idea to have 2 different solutions in place which can understand each other. Cisco MARS has achieve this by integrating into MS MOM solution. So now from Edge Device to Switching to Firewall to VLANS to the server a packet flow is traceable which enable us very quickly to isolate and identify a situation. More over if one has an IPS solution implemented and integrated into above setup it works great (Considering every thing is configuring right). Please note that effectiveness of these solutions also depends knowledge of Administrator and available resources. If configure right these solution provide alerting systems which can alert a security team of an attack happening if detected rapidly. One can spend hours on this discussion but a person with the knowledge of current setup is the best judge for implementing the solution. Regards Ahsan Khan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jplee3 () yahoo com Sent: Monday, August 27, 2007 12:46 PM To: security-basics () securityfocus com Subject: Logging Archival Solutions? Hi all, Just wondering what your takes are on the logging solutions out there. Specifically as regards to PCI DSS. I know there are a TON of companies focusing their efforts on helping fulfill req 10 and audit trails. It seems like there are quite a few out there who can effectively correlate and perform forensics on log data. My concern is that it still seems there is a hole or something missing in the overall picture. Obviously, we're not all going to be monitoring these log servers/appliances 24/7 (unless you hire people to do 24/7 in shifts), so what if an attack (i.e. brute force ala TJ Maxx) successfully occurs over the weekend or when someone ISN'T watching or tending to their cellphone/pager/email/etc for whatever reason? Yes, the logging appliance will capture the attack and record it, but assuming no action or intervention was taken, by that time the system(s) will have been compromised. So again, it seems like many companies are focusing in on the forensics aspect, which I believe is important, especially in court. But what about doing more actively to prevent attacks? What about automated remediation and active response? I'm trying not to be biased here, but the only company I've seen who has taken big steps towards this is TriGeo. Has anyone else here heard of them? Or have any experience using their solution? I've only sat in on a demo and have read a bunch of whitepapers, and most other SIMs/logging solutions/etc pale in comparison. It just seems easier/less confusing to use overall. I've also sat in on Cisco MARS, CSA, and RSA EnVision demos and wasn't nearly as impressed with any of these solutions. CSA, potentially coming the closest in terms of endpoint security/policy enforcement, seems interesting, but not nearly as flexible or powerful in terms of policies, rule sets, and automated defined responses per a specific action. I'm just trying to get a sense here from what others have done, but it seems hard to find a good amount of people who can or are willing to share. Maybe it's because most of us are still working at it and have the same questions I do, or haven't even thought of it yet (in which case: you better get on it!). Or is it because many people are just secretive about the whole thing? I guess I could understand why if so... but why not just tell us a) what you're using, and b) why you like it - I don't see anything that could jeopardize your company in providing such information. Oh well, I'm really trying to push TriGeo with my managers but I've been finding it difficult. They're partial to Cisco MARS/CSA because we already have a Cisco contact/sales engineer and outside consultants who also strongly advise mostly Cisco stuff. I just think most people here are deep into the Cisco mindset. So sometimes it's hard thinking outside the box. Any opinions would be greatly appreciated. Thanks! -J
Current thread:
- Logging Archival Solutions? jplee3 (Aug 28)
- RE: Logging Archival Solutions? Ahsan Khan (Aug 28)
- Re: Logging Archival Solutions? Daniel Cid (Aug 30)