PaulDotCom mailing list archives
Re: SOC common/best practise?
From: CP Constantine <conrad () 1211 net>
Date: Thu, 22 Jul 2010 01:10:56 -0400
On 7/21/2010 4:41 PM, k41zen Me wrote:
3) Not enough information about the alert being sent to the correlation engine?
largely, this (in my not so humble experience). Security decisions are largely driven by context. Log correlation is largely about providing context via corroboration. But log entries themselves rarely contain actual information, they contain summaries of information... The system I've been building for our CIRT, takes the correlated alerts as a driver, and then hooks back to the controls those logs came from, to extract and collate the source data into an complete incident report that has the entire contextual dataset to give that 'at a glance' big picture case file to work from. Then it goes and adds asset/org/tech data for the entities present, to bring that case file into the light of business process context as well. Correlation engines are 'just another security control' - they're a good hub control to tie other controls together, and produce context via corroboration between controls as an initial driver for response action, but they still aren't the end product to the workflow chain. (yet). _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- SOC common/best practise? k41zen Me (Jul 21)
- Re: SOC common/best practise? CP Constantine (Jul 22)