Security Basics mailing list archives
Re: Review of logs/audit trail - whose responsibility?
From: krymson () gmail com
Date: Wed, 30 Sep 2009 13:27:29 -0600
<- snip ->
From my point of view, IT should be the one reviewing the logs. These logs
contain technical information and IT is the only one aware of what is going on and what should NOT happen. <- /snip -> Of course, IT has many other things to do as well, which are probably more important/mission critical to getting things done. If you put log review against pretty much any other task general IT does, the log review will get put lower (not just because some people hate it, but because no customer is likely waiting for it to happen). Keep in mind there are different types of logs. Some are security-related in nature. Others are just application specific and hold really no security value, but rather value to app debuggers. As others have said, it should be done by someone with enough knowledge to make sense of logs, but also (ideally) someone who is not generating the logs themselves. This last part is an ideal and probably not practical for any but the largest or most security-necessary organizations. Most of the time, network or IT staff, or even overworked security staff end up doing it in between all the other things they monitor (or just let some SEIM do it...as long as they're standard logs). The reviewer also should have the ability or power to dig deeper into any strange log entries, ask questions of necessary persons, dig in the dark corners that may hold answers, and possibly even start the ball rolling on invoking incident response/containment. They should also have some knowledge on why log entries might be made and able to make suggestions on how to fix any issues in them. Otherwise the whole exercise just becomes a daily sign-off and ignore "task." <- snip -> Dear all, a simple question: we all agree that there must be logs and audit trails to enable tracing back and monitoring of suspicious activities Logs should be reviewed regularly to identify abnormal activities however, who should "ideally" be responsible for this regular (daily) monitoring of logs? Is it IT, IT Security or Computer Audit? I know that each company might implement it differently, but from a conceptual point of view, in terms of security, what will be the most appropriate choice? thanks for your comments Regards, Ronish ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Review of logs/audit trail - whose responsibility? sfmailsbm (Sep 23)
- RE: Review of logs/audit trail - whose responsibility? Rivest, Philippe (Sep 28)
- Re: Review of logs/audit trail - whose responsibility? Quentin Chung@Programmer (Sep 28)
- Re: Review of logs/audit trail - whose responsibility? Gleb Paharenko (Sep 28)
- Re: Review of logs/audit trail - whose responsibility? M.D.Mufambisi (Sep 29)
- Re: Review of logs/audit trail - whose responsibility? Dan Anderson (Sep 30)
- Re: Review of logs/audit trail - whose responsibility? M.D.Mufambisi (Sep 29)
- <Possible follow-ups>
- Re: Review of logs/audit trail - whose responsibility? craig . wilson (Sep 28)
- Re: Review of logs/audit trail - whose responsibility? ron (Sep 28)
- Re: Review of logs/audit trail - whose responsibility? krymson (Sep 30)